Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp626916yba; Thu, 16 May 2019 06:33:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqxNd8uNrGyfqY0eKE347SepuBTXRxUiXS1kUmJ0bh4zCNejKHDdF6AcqVFum3uMGvo0m3xA X-Received: by 2002:a63:5c5b:: with SMTP id n27mr50917322pgm.52.1558013619975; Thu, 16 May 2019 06:33:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558013619; cv=none; d=google.com; s=arc-20160816; b=LouK7K8HykDMYSDwsdPK5HzbsVChbVAGeGwG2aDmh4pniROR6W+Ud+LZyktdZBf+d1 CTKx88hylmGfKjrMGBWOxSYRXhFmZQ6PxOptCgCfckVdWp3jLPEPWkUDwESkQ07RH2uW art2BKhwmWSDcqyEF8MH1bRabhvyF/wq3SNk+30dK3yr41jkTGq8aaaGMGpca42JIQdW 2KwpYmpeQZAivRCaDlgr5TWL9179Xn0svxmyUjDXw+W0Ao6S95EmmYx0RfwHwhgOop8O 7YVxp9R5NfZ1iifxH6WxhK1kL84B+ZUYshEpVsVfqCEh4vKj3DS7CNqT7ovz10EYjeeF Xcpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=D1As5o0lykP1tYrTEa3MuvYTO8u7A8GdAA5ihj9UyUw=; b=ADp51gvGA4hu8kF5oyeGh3qfbIwKz67vcotj+IPMRW4qF+ahVIo2CPQNB2l79LL79T 4k4LznZdoKZM28h/IztNpZDmtcI//rzFagpzAUfMc2gaA2ZTr5ypEYSURdxOwGm1w0fu fiIuQ8kYCuHtMZ+IA7ql0sbEbidn8/XX07mT38Am4VmmLIvEsSsCNi3Nc5+LHuEKw1Cn a+a5JF5RF95tbeJGDu1bTwKul3TJUwE+ioEsrYJkC3Hr9OMQut+U1mFFFF171TMQoWKM 5F/92SqGzBtifBe5uBhA/HSzyg0M8VYlhXgqkcwGvIYG3HmrPvwcmyGR0MFb4ww5ujwD Petw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ay1si4960625plb.96.2019.05.16.06.33.23; Thu, 16 May 2019 06:33:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727590AbfEPNby (ORCPT + 99 others); Thu, 16 May 2019 09:31:54 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:51702 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726742AbfEPNby (ORCPT ); Thu, 16 May 2019 09:31:54 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x4GDQxBZ101156 for ; Thu, 16 May 2019 09:31:52 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0b-001b2d01.pphosted.com with ESMTP id 2sh7x62y38-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 16 May 2019 09:31:52 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 16 May 2019 14:31:50 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 16 May 2019 14:31:46 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x4GDVjWR52035654 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 13:31:45 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1DBFFAE056; Thu, 16 May 2019 13:31:45 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 63E07AE045; Thu, 16 May 2019 13:31:43 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.95.230]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 16 May 2019 13:31:43 +0000 (GMT) Subject: Re: [PATCH v2 0/3] initramfs: add support for xattrs in the initial ram disk From: Mimi Zohar To: Arvind Sankar , Roberto Sassu , Mehmet Kayaalp Cc: James Bottomley , Rob Landley , Andy Lutomirski , Arvind Sankar , LKML , Linux API , Linux FS Devel , linux-integrity , initramfs@vger.kernel.org, Silviu Vlasceanu Date: Thu, 16 May 2019 09:31:32 -0400 In-Reply-To: <20190516052934.GA68777@rani.riverdale.lan> References: <4f522e28-29c8-5930-5d90-e0086b503613@landley.net> <1557861511.3378.19.camel@HansenPartnership.com> <4da3dbda-bb76-5d71-d5c5-c03d98350ab0@landley.net> <1557878052.2873.6.camel@HansenPartnership.com> <20190515005221.GB88615@rani.riverdale.lan> <20190515160834.GA81614@rani.riverdale.lan> <20190516052934.GA68777@rani.riverdale.lan> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 19051613-0020-0000-0000-0000033D5A54 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19051613-0021-0000-0000-000021902221 Message-Id: <1558013492.4581.97.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-05-16_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160090 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2019-05-16 at 01:29 -0400, Arvind Sankar wrote: > I think that's a separate issue. If you want to allow people to be able > to put files onto the system that will be IMA verified, they need to > have some way to locally sign them whether it's inside an initramfs or > on a real root filesystem. Anyone building their own kernel can build their own key into the kernel image.  Another option is to build the kernel with   CONFIG_SYSTEM_EXTRA_CERTIFICATE enabled, allowing an additional certificate to be inserted into the kernel image post build.  The additional certificate will be loaded onto the builtin kernel keyring.  Certificates signed with the private key can then be added to the IMA keyring.  By modifying the kernel image, the kernel image obviously needs to be resigned.  Additional patches "Certificate insertion support for x86 bzImages" were posted, but have not been upstreamed. This patch set adds the security xattrs needed by IMA. Mimi